Category: Best Practices in Search

The Duty Comes From the Data: Rethinking Platform Liability in the Age of Algorithmic Harm

For too long, dominant tech platforms have hidden behind Section 230 of the Communications Decency Act, claiming immunity for any harm caused by third-party content they host or promote. But as platforms like TikTok, YouTube, and Google have long ago moved beyond passive hosting into highly personalized, behavior-shaping recommendation systems, the legal landscape is shifting in the personal injury context. A new theory of liability is emerging—one grounded not in speech, but in conduct. And it begins with a simple premise: the duty comes from the data.

Surveillance-Based Personalization Creates Foreseeable Risk

Modern platforms know more about their users than most doctors, priests, or therapists. Through relentless behavioral surveillance, they collect real-time information about users’ moods, vulnerabilities, preferences, financial stress, and even mental health crises. This data is not inert or passive. It is used to drive engagement by pushing users toward content that exploits or heightens their current state.

If the user is a minor, a person in distress, or someone financially or emotionally unstable, the risk of harm is not abstract. It is foreseeable. When a platform knowingly recommends payday loan ads to someone drowning in debt, promotes eating disorder content to a teenager, or pushes a dangerous viral “challenge” to a 10-year-old child, it becomes an actor, not a conduit. It enters the “range of apprehension,” to borrow from Judge Cardozo’s reasoning in Palsgraf v. Long Island Railroad (one of my favorite law school cases). In tort law, foreseeability or knowledge creates duty. And here, the knowledge is detailed, intimate, and monetized. In fact it is so detailed we had to coin a new name for it: Surveillance capitalism.

Algorithmic Recommendations as Calls to Action

Defenders of platforms often argue that recommendations are just ranked lists—neutral suggestions, not expressive or actionable speech. But I think in the context of harm accruing to users for whatever reason, speech misses the mark. The speech argument collapses when the recommendation is designed to prompt behavior. Let’s be clear, advertisers don’t come to Google because speech, they come to Google because Google can deliver an audience. As Mr. Wanamaker said, “Half the money I spend on advertising is wasted; the trouble is I don’t know which half.” If he’d had Google, none of his money would have been wasted–that’s why Google is a trillion dollar market cap company.

When TikTok serves the same deadly challenge over and over to a child, or Google delivers a “pharmacy” ad to someone seeking pain relief that turns out to be a fentanyl-laced fake pill, the recommendation becomes a call to action. That transforms the platform’s role from curator to instigator. Arguably, that’s why Google paid a $500,000,000 fine and entered a non prosecution agreement to keep their executives out of jail. Again, nothing to do with speech.

Calls to action have long been treated differently in tort and First Amendment law. Calls to action aren’t passive; they are performative and directive. Especially when based on intimate surveillance data, these prompts and nudges are no longer mere expressions—they are behavioral engineering. When they cause harm, they should be judged accordingly. And to paraphrase the gambling bromide, the get paid their money and they takes their chances.

Eggshell Skull Meets Platform Targeting

In tort law, the eggshell skull rule (Smith v. Leech Brain & Co. Ltd. my second favorite law school tort case) holds that a defendant must take their victim as they find them. If a seemingly small nudge causes outsized harm because the victim is unusually vulnerable, the defendant is still liable. Platforms today know exactly who is vulnerable—because they built the profile. There’s nothing random about it. They can’t claim surprise when their behavioral nudges hit someone harder than expected.

When a child dies from a challenge they were algorithmically fed, or a financially desperate person is drawn into predatory lending through targeted promotion, or a mentally fragile person is pushed toward self-harm content, the platform can’t pretend it’s just a pipeline. It is a participant in the causal chain. And under the eggshell skull doctrine, it owns the consequences.

Beyond 230: Duty, Not Censorship

This theory of liability does not require rewriting Section 230 or reclassifying platforms as publishers although I’m not opposed to that review. It’s a legal construct that may have been relevant in 1996 but is no longer fit for purpose. Duty as data bypasses the speech debate entirely. What it says is simple: once you use personal data to push a behavioral outcome, you have a duty to consider the harm that may result and the law will hold you accountable for your action. That duty flows from knowledge, very precise knowledge that is acquired with great effort and cost for a singular purpose–to get rich. The platform designed the targeting, delivered the prompt, and did so based on a data profile it built and exploited. It has left the realm of neutral hosting and entered the realm of actionable conduct.

Courts are beginning to catch up. The Third Circuit’s 2024 decision in Anderson v. TikTok reversed the district court and refused to grant 230 immunity where the platform’s recommendation engine was seen as its own speech. But I think the tort logic may be even more powerful than a 230 analysis based on speech: where platforms collect and act on intimate user data to influence behavior, they incur a duty of care. And when that duty is breached, they should be held liable.

The duty comes from the data. And in a world where your data is their new oil, that duty is long overdue.

What the MLC Can Learn from Orphan Works

As you may be aware, The MLC recently received $424 million as payment of the “inception to date” unmatched mechanical royalties held at a number of streaming platforms, sometimes called the “black box.” Why do we have a black box at all? For the same reason you have “pending and unmatched” at record companies–somebody decided to exploit the recording without clearing the song.

Streaming services will, no doubt, try to blame the labels for this missing data, but that dog don’t hunt. First, the streaming service has an independent obligation to obtain a license and therefore to know who they are licensing from. Just because the labels do, too, doesn’t diminish the service’s obligation. It must also be said that for years, services did not accept delivery of publishing metadata even if a label wanted to give it to them. So that helps explain how we get to $424 million. Although the money was paid around mid-February, it’s clearly grown because The MLC is to hold the funds in an interest bearing account. Although The MLC has yet to disclose the current balance. Maybe someday.

This payment is, rough justice, a quid pro quo for the new “reach back” safe harbor that the drafters of Title I came up with that denies songwriters the right to sue for statutory damages if a platform complies with their rules including paying this money. That’s correct–songwriters gave up a valuable right to get paid with their own money.

The MLC has not released details about these funds as yet, but one would expect that the vast majority of the unmatched would be for accounting periods prior to the enactment of Title I of the Music Modernization Act (Oct. 11, 2018). One reason that expectation would be justified is that Title I requires services to try hard(er) to match song royalties with song owners. The statute states “…a digital music provider shall engage in good-faith, commercially reasonable efforts to identify and locate each copyright owner of such musical work (or share thereof)” as a condition of being granted the safe harbor.

The statute then goes on to list some examples of “good faith commercially reasonable efforts”. This search, or lack thereof, is at the heart of Eight Mile Style and Martin Affiliated’s lawsuit against Spotify and the Harry Fox Agency. (As the amended complaint states, “Nowhere does the MMA limitation of liability section suggest that it lets a DMP off the hook for copyright infringement liability for matched works where the DMP simply committed copyright infringement. The same should also be true where the DMP had the information, or the means, to match, but simply ignored all remedies and requirements and committed copyright infringement instead. Spotify does not therefore meet the requirements for the liability limitations of the MMA with respect to Eight Mile for this reason alone.”)

The MMA language is similar to “reasonably diligent search” obligations for orphan works, which are typically works of copyright where the owner cannot be identified by the user after trying to find them. This may be the only aspect of orphan works practice that is relevant to the black box under MMA. Since considerable effort has been put into coming up with what constitutes a proper search particularly in Europe it might be a good idea to review those standards.

We may be able to learn somethng about what we expect the services to have already done before transferring the matching problem to the MLC and what we can expect the MLC to do now that they have the hot potato. The MMA provides non-exclusive examples of what would comprise a good search, so it is relevant what other best practices may be out there.

Establishing reference points for what constitutes “good faith commercially reasonable efforts” under MMA is important to answer the threshold question: Is the $424 million payment really all there is? How did the services arrive at this number? While we are impressed by the size of the payment, that’s exactly the reason why we should inquire further about how it was arrived at, what periods it is for and whether any deductions were made. Otherwise it’s a bit like buying the proverbial pig in the proverbial poke.

One method lawmakers have arrived at for determining reasonableness is whether the work could be identified by consulting readily available databases identified by experts (or common sense). For example, if a songwriter has all their metadata correct with the PROs, it’s going to be a bit hard to stomach that either the service or the MLC can’t find them.

Fortunately, we have the Memorandum of Understanding from the European Digital Libraries initiative which brought together a number of working groups to develop best practices to search for different copyright categories of orphan works. The Music/Sound Working Group was represented by Véronique Desbrosses of GESAC and Shira Perlmutter, then of IFPI and now Register of Copyrights (head of the U.S. Copyright Office). The Music/Sound Working Group established these reasonable search guidelines:

DUE DILIGENCE GUIDELINES

The [Music/Sound] Working Group further discussed what constituted appropriate due diligence in dealing with the interests of the groups represented at the table—i.e., what a responsible [user] should, and does, do to find the relevant right holders. We agreed that at least the following searches should be undertaken:

1. Check credits and other information appearing on the work’s packaging (including names, titles, date and place of recording) and follow up through those leads to find additional right holders (e.g., contacting a record [company] to find the performers).

2. Check the databases/membership lists of relevant associations or institutions representing the relevant category of right holder (including collecting societies, unions, and membership or trade associations). In the area of music/sound, such resources are extensive although not always exhaustive.

3. Utilise public search engines to locate right holders by following up on whatever names and facts are available.

4. Review online copyright registration lists maintained by government agencies, such as the U.S. Copyright Office.

Perhaps when the MLC audits the inception to date payments we’ll have some idea of whether the services complied with these simple guidelines.